What are organizations?

In this article we will talk about what organizations are
What are they and what are they for?

Let us find out what they are, what they are for and how important they are in UTOPIA – the GDPR software for privacy management.

The Organization is the first section to fill in, a mandatory step to immediately lead the company towards compliance.

All the information of an organization is essential to build in a guided and simplified manner the register of processing operations, the privacy policy and the DPIA as required by the GDPR.

An important distinction:

●    If you are a professional offering privacy services, the organizations will be your customers

●    If you are a company, the organization will be the company itself

Which data makes up an organization?

General information

In addition to general information such as business name and VAT number, you can also specify if the company operates as a processor. How to determine it?

●    Controller: when the company itself decides purposes and methods for processing personal data.

●    Processor: when the company processes the data on behalf of a controller and has no "say" in the processing operations it carries out.

●    Both figures: many companies are both controller and processor of personal data

Let us give an example – a company that develops and provides personnel management software, for example, could be the data controller for its own employees and the data processor for its customers. The purposes of the processing operations will be different but the organization is the same, and it operates in both ways for separate processing operations.

Other information about the organization


You can add the the offices of the organization; this way, when creating the register or the privacy policy, you will choose for which office do it.

It can happen that administrative data is managed in one place while commercial data is managed in another, so it becomes very useful to create and differentiate them.

Organization chart

Not to be confused with the privacy organization chart. It is the company organization chart, where we will specify the areas or departments of the company including, but not limited to, the processor.

In this list we will also include all persons authorized to process personal data, i.e. all persons within the organization who process personal data.

After completing the list, you can view it in graphic form and download it as image on your computer.

Company procedures

In this section you will store and upload all of your organization's documentation, such as company policies, internal specifications, guidelines or regulations.

By indicating the release date and version number, you can keep track of all the updates, which is one of the most important – often forgotten –organizational measures.

Joint controllers

They are those subjects, not always present, with whom the controller jointly decides the purposes and modes of a processing operation.

For example, it may be the case that two companies organize a competition in synergy: it will be necessary to draw up a joint ownership agreement for the necessary processing operations and make it available, in short form, also to data subjects.


Where the registered office of the controller is outside the European Union, a representative residing in the European state in which the data subjects are present must be appointed.

He is the contact person and may also act as a substitute for the controller in matters relating to processing towards the supervisory authority or the data subjects.


The data processor is a further subject (company, person or service) with the task of assisting the data controller, if the latter deems it appropriate, following an assessment of the complexity and level of risk of the processing activity carried out.

System administrators

In this section you will see all the persons authorized to process data and any processors that are also system administrators.

To see how to produce the documentation for external system administrators, read this article.


One of the main innovations of the GDPR, the so-called data protection officer. They are a crucial role, always mandatory for the Public Administration and – in some cases – also for private companies. You can read more about them here.

Privacy contacts

In this section you can add the company's privacy consultants, including the figures who support the controller in the numerous obligations required by the regulation.

Company assets‍

These are all the tools used to store personal data, such as lockers, servers, software, PCs and smartphones.

It is essential to track all of them in order to have a complete view of where the processed data physically reside.

Here we are at the end of the first section present in UTOPIA, fundamental to proceed in a guided and facilitated way towards the goal of a “GDPR compliant organization”.

Torna alla documentazione

Create your account for free

Crea il tuo account personale in meno di un minuto e scopri tutte le potenzialità di UTOPIA. Tutto incluso e senza alcuna limitazione, gratuitamente, per 14 giorni.

Already over 1000 customers
No credit card required
Try it for 14 days, with no limitations
By clicking the button the processing conditions are accepted
Iscrizione effettuata con successo!
Si è verificato un errore imprevisto durante l'iscrizione. Riprova...